Hello,
Recently we have finished upgrading all of our managed machines to SEP 12, and now that the upgrade is complete, I noticed that a large number of our clients in SEPM are not reporting client versions, definition versions, etc. The machines show up as we have our AD structure imported into SEPM, however the fields just say "client version unavailable," or something similiar. I did some research into this and it seems like it is a problem with the hardware ids on the clients being incorrect. All of the clients I have tested so far are able to communicate with our server as they have updated definitions, and report having successful connections, but no information can be read from SEPM. I am able to fix it manually by the following steps:
- Turn off Tamper Protection by opening the client
- Go to Change Settings and select Client Management.
- Select the Tamper Protection Tab and disable
- Then empty the Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID=""
- Delete the file:
In Windows XP and Windows 2003 systems C:\Documents and Settings\All Users\Application Data\Symantec Shared\PersistedData\sephwid.xml
In Windows 7.0 and 2008 the folders will be located under C:\Program Data\\Symantec\Symantec Endpoint Protection\PersistedData\sephwid.xml - Delete any client that appears in the Symantec Protection Center.
- Go to Start > Run and type SMC -Stop and run
- Go to Start > Run and type SMC -Start and run
- Turn On Tamper Protection by opening the client
- Go to Change Settings and select Client Management.
- Select the Tamper Protection Tab and enable
This will generate unique HardwareID's and sephwid.xml's for each client.
Because I have so many machines to fix this on (over 300) I was hoping to write a script that did this, as it would seem to be fairly straightforward, however I am having lots of issues disabling tamper protection from a script. Doing some research on this it appears you can disable tamper protection by changing a registry key located here:
HKLM\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\SymProtect\RealTimeScan\disabled
I was reading that if you set that key to 1 it will disable tamper protection, the issue is that it won't let me change that key unless I already have tamper prtection disabled, which defeats the purpose. Does anyone know of a way to disable tamper protection without having to manually do it on the client? Ideally I would be able to just disable it temporarily on the machines that need fixed, correct the hardware id problem, and then reenable it, but it is turning out to me more difficult than I thought. Any ideas? Thanks!